Error message: The provided Certificate Signing Request (CSR) is invalid

Onboarding, renewal and revocation
1

We are facing an issue when trying to onboard our system, we always get the below error message when we try to run the compliance csid on the simulation portal

Below are the steps that we have followed, keeping in mind that we have followed the same instructions for other systems before and it was fine

  1. Generate the private key by running the command openssl ecparam -name secp256k1 -genkey -noout -out PrivateKey.pem on the server

  2. Generate the public key by running the command openssl ec -in PrivateKey.pem -pubout -out PublicKey.pem on the server

  3. Generate the CSR file using the command openssl req -new -sha256 -key PrivateKey.pem -extensions v3_req -config config.cnf -out taxpayer.csr (config.cnf content below)

  4. Once the CSR generated, we convert it to base64

  5. We generated the OTP from fatoora portal (simulation)

  6. we call https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/compliance with the correct OTP in the header and the based64 in the body but then we get the error message below

{

“errorCode”: “400”,

“errorCategory”: “Invalid-CSR”,

“errorMessage”: “The provided Certificate Signing Request (CSR) is invalid.”

}

Please help us resolve the issue

config file content:
oid_section = OIDs
[OIDs]
certificateTemplateName = 1.3.6.1.4.1.311.20.2
[req]
default_bits = 2048
emailAddress = sxxxx@xxx.com.sa
req_extensions = v3_req
x509_extensions = v3_ca
prompt = no
default_md = sha 256
req_extensions = req_ext
distinguished_name = dn
[dn]
C=SA
OU=Riyad Branch
O=Installation xxxxxx Est.
CN=icc-einvoice-dev-1
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[req_ext]
certificateTemplateName = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing
subjectAltName = dirName:alt_names
[alt_names]
SN=1-icc|2-drupal7|3-d7
UID=300xxxxxx00003
title=1000
registeredAddress= Riyadh
businessCategory=IT

2

Dear @tassaf,

Would you please share the CSR generated? please note that this issue is maybe depending on the version of the OpenSSL, some versions in example require a specific tag in the CSR generation command to include the extensions specified in the config file.

Please check the generated CSR and compare it with the default CSR included in the sandbox API documentation, if it’s way shorter, then, it means that the extensions are not included and you need to revise the command to ensure all of the extensions are included (ZATCA template).

Also, the UID should be the VAT number, if you are not comfortable sharing such information here you may open a ticket by calling ZATCA number or sending the details to SP_Support@ZATCA.gov.sa

Regards,

3

Thank you very much, this was helpful. after checking the version of openSSL I found that the system admin has upgraded it from 3.0.2 to 3.2.2

the new commands are:

openssl ecparam -name secp256k1 -genkey -noout -out PrivateKey.pem
openssl ec -in PrivateKey.pem -pubout -out PublicKey.pem
openssl req -new -sha256 -key PrivateKey.pem -config zatca_config.cnf -out taxpayer.csr